Advanced Search
Content Type: Examples
In July 2018, Election Systems and Software (ES&S), long the top US manufacturer of voter machines, admitted in a letter to Senator Ron Wyden (D-OR) that it had installed pcAnywhere remote access software and modems on a number of the election management systems it had sold between 2000 and 2006. The admission was in direct contradiction to the company's response for a New York Times article earlier in the year on US voting machines' vulnerability to hacking. ES&S says it stopped…
Content Type: Examples
In the run-up to the 2018 US mid-term elections, researchers found that the dissemination of fake news on Facebook was increasingly a domestic American phenomenon rather than, as in the 2016 presidential election, an effort driven by state-backed Russian operatives. Removing such accounts (Twitter) and pages (Facebook) is tricky in the US, where the boundary between free speech and disinformation is particularly sensitive. In addition, domestic disinformation is harder to distinguish. One of…
Content Type: Examples
A few months before the US 2018 midterm elections, the Trump campaign team signed a contract with the newly-formed Virginia-based company Excelsior Strategies to exploit the first-party data the campaign had collected. The contract was set up by Trump's campaign manager, Brad Parscale, who built the list as the digital director of Trump's 2016 campaign and began renting it out soon after the November 2016 elections.
Subject to the Trump's campaign veto authority, Excelsior rents out this…
Content Type: Examples
In 2018, after the UK Cabinet Office said a trial of compulsory voter ID was necessary because reports of voter fraud had more than doubled between the 2014 and 2016 elections - a claim immediately disputed by a voter and upheld by the UK Statistics Authority. While it was true that there were 21 reports in 2014 and 44 in 2016, the number fell to 28 in 2017, small numbers to begin with. Crucially, more than twice as many people voted in 2016, the year of the EU referendum. None of the five…
Content Type: Examples
In the months leading up to the US 2018 midterm elections, Republican officials in Georgia, Texas, and North Carolina made moves they described as ensuring voting integrity but which critics saw as blocking voter access. In Georgia, where Secretary of State Brian Kemp is charged with enforcing election law and was simultaneously running for governor, election officials blocked 53,000 applications to register, 70% of which are those of African-Americans, under a law requiring personal…
Content Type: Examples
The proposed extension to the Trans Mountain pipeline, which would connect Alberta and British Columbia in parallel to the existing pipeline and triple its capacity, was controversial for years before Canada approved the project in 2016. In 2014, the British Columbia Civil Liberties Association complained to the Security Intelligence Review Committee that the Canadian Security Intelligence Service was spying on anti-pipeline activists and sharing the information it collected about "radicalised…
Content Type: Examples
A little over a month before the US 2018 midterm elections, Twitter updated its rules to reduce manipulation of its platform. Among the changes, the company outlined the factors it would use to determine whether an account is fake and should be removed, provided an update on its automated detection and enforcement actions, and announced some changes to its user interface, which included reminding candidates to turn on two-factor authentication and encouraging US voters to register and vote.…
Content Type: Examples
In July 2018, members of the Internal Security Organisation, Uganda's counterintelligence agency, raided South African telecommunications provider MTN's Uganda data centre in Mutundwe. In a letter to the police, MTN said the ISO kidnapped a data manager who worked for the contractor that ran the data centre on MTN's behalf, Huawei Technologies. Moses Keefah Musasizi was taken to the ISO head office in Nakasero and held for four hours before being forced to grant access to the data centre and…
Content Type: Examples
In 2018, British immigration officers demanded that the mothers of two children provide DNA samples in order to provide proof of paternity. The children both had British fathers and had previously been issued British passports, but their mothers were not UK citizens. In one case, the father had remarried and was refusing to supply a sample; in the other, a year's gap between birth and registration apparently led to the request, even though the child concerned was nine years old. Home Office…
Content Type: Examples
In May 2018, the ACLU of Northern California obtained documents under a FOIA request showing that Amazon was essentially giving away its two-year-old Rekognition facial recognition tools to law enforcement agencies in Oregon and Orlando, Florida. Amazon defended the move by saying the technology has many useful purposes, including finding abducted children and identify attendees at the 2018 wedding of Britain's Prince Harry and Meghan Markle. The company markets Rekognition as useful for…
Content Type: Examples
At the 2017 Champions League Final, South Wales Police deployed an automated facial recognition system that wrongly identified more than 2,000 people in Cardiff as potential criminals. The system's cameras watched 170,000 people arrive in Cardiff for the football match between Real Madrid and Juventus, and identified 2,470 potential matches. According to the force's own figures, 92% (2,297) of these matches were false positives. SWP has also deployed the technology at the annual Elvis festival…
Content Type: Examples
In August 2018, two lawsuits, were filed against NSO Group, one brought in Israel by a Qatari citizen and the other in Cyprus by Mexican journalists and activists. All the plaintiffs had been targeted by the company's Pegasus spyware, which takes control of targets' phones when they click on links sent via carefully crafted phishing messages. The company claims that it sells the technology to governments on condition that they use it exclusively against criminals and it is not responsible for…
Content Type: Examples
In 2018, the Chinese Communist Party's anti-corruption watchdog in southeastern Hefei in the Anhul province claimed in a social media post that its branch in a neighbouring city had retrieved deleted messages from a suspect's WeChat account. Tencent, WeChat's operator, denied that the company stored or performed data analytics on users' chat histories, and said that histories and messages were only stored on users' own phones and computers. The watchdog went on to question numerous suspects;…
Content Type: Examples
In what appears to be an extension of China's tracking of its Muslim citizens, 3,300 of the 11,500 Chinese pilgrims joining the 2018 hajj to Mecca were outfitted with GPS trackers. When photos were shown of the first group preparing to depart wearing trackers around their necks, the state-run Chinese Islamic Association claimed it was to make the trip safer for them. Each device reportedly contains a QR code connected to an app that reveals the wearer's picture, passport number, address, and…
Content Type: Examples
In 2018 genetic testing companies such as Ancestry and 23andMe agreed on guidelines for sharing users' DNA data and handling police requests. The guidelines, which include easy-to-read privacy policies, were inspired by two incidents: one in which local investigators used the GEDmatch DNA comparison service to identify a suspect in the Golden State Killer case, and the other 23andMe's announcement that in return for a $300 million investment it would grant GlaxoSmithKline access to "de-…
Content Type: Examples
In internet scans conducted between August 2016 and August 2018, Canada's Citizen Lab identified a total of 45 countries in which operators of Israel-based NSO Group's Pegasus spyware may be conducting surveillance operations. Pegasus is mobile phone spyware that targets are coerced into installing via a carefully constructed phishing attack; clicking on the exploit link installs the spyware without the user's knowledge or permission and bypasses the phone's security protections to send the…
Content Type: Examples
In 2018 a report from the Royal United Services Institute found that UK police were testing automated facial recognition, crime location prediction, and decision-making systems but offering little transparency in evaluating them. An automated facial recognition system trialled by the South Wales Police incorrectly identified 2,279 of 2,470 potential matches. In London, where the Metropolitan Police used facial recognition systems at the Notting Hill Carnival, in 2017 the system was wrong 98% of…
Content Type: Examples
In September 2018 the UK's Information Commissioner found that it was likely that during 2017 a number of migrant rough sleepers were reported to the Home Office enforcement teams by the homelessness charity St. Mungo's. The finding followed a complaint from the Public Interest Law Unit. The charity claimed it passed on these details when people wanted to return home. The Home Office halted its policy of deporting migrant rough sleepers in December 2017 and the government was to pay hundreds of…
Content Type: Examples
Following a 2016 hack including names, emails, adresses, and phone numbers of 57 millions Uber users and drivers, the company has paid 100,000 USD to hackers hoping that the data collected would be deleted. This decision was in line with Uber's strategy to try to keep the breach quiet while limiting potential abuses. The company said that they believe the data had not been used without being able to provide any proof. The hack itself was conducted through a GitHub private repositories that the…
Content Type: Examples
At the end of September 2018, the sales intelligence company and data aggregator Apollo notified its customers that over the summer Vinny Troia, the founder of Night Lion Security, had discovered that Apollo's database of 212 million contact listings and 9 billion data points relating to companies and organisations was freely accessible via the web. Apollo noted that it collects a lot of its information from public sources around the web; however, it scrapes Twitter and LinkedIn profiles for…
Content Type: Examples
In 2014, a team of four Swedish and Polish researchers began scraping every comment and interaction from 160 public Facebook pages. By two years later, they had collected one of the largest sets of user data ever assembled from the social network; it enabled them to track the behaviour of 368 million members. Techniques like those the researchers used have been used by scholars around the world for a decade to compile hundreds of Facebook data sets of all sizes. Many have been used for research…
Content Type: Examples
In July 2018, attackers broke into the SingHealth Singaporean government health database and stole names, addresses, and various other details of 1.5 million people who visited clinics between May 1, 2015 and July 4, 2018; however, the attackers did not gain access to most medical records with the exception of outpatient prescription medication data relating to about 160,000 patients including Singapore Prime Minister Lee Hsien Loong and several ministers. The government said none of the…
Content Type: Examples
In June 2018, security researchers found that Google's smart speaker and home assistant, Google Home, and its Chromecast streaming device could be made to leak highly accurate location information because they failed to require authentication from other machines on their local network. The attack worked by requesting a list of nearby wireless networks from the Google device and sending that list on to Google's geolocation lookup service, whose map of wireless network names around the world is…
Content Type: Examples
In July 2018, a hacker attack exposed the personal data of millions of Spanish subscribers Telefónica's Movistar service. The data included identity and payment information, phone and national ID numbers, banks, and calling data. The cause was a basic programming error known as an "enumeration bug" that allowed anyone logged into one account to alter the ID number inside the URL and view others' data. It was not clear that the data had been exploited. However, Telefónica CEO suggested that the…
Content Type: Examples
In June 2018, security researcher Vinny Troia discovered that the Florida-based data broker Exactis had exposed a comprehensive database containing nearly 340 million individual records on a publicly accessible server. The 2TB of data appeared to include detailed information on millions of businesses as well as hundreds of millions of American adults that included as many as 400 highly personal characteristics, including number, age, and gender of children, as well as phone numbers and home and…
Content Type: Examples
Between May 18 and May 22, a bug in Facebook's system changed the settings on 14 million users' accounts so that newly posted updates they thought were private might have been made public instead. The company attributed the error to a mistake made in redesigning how the public parts of user profiles are displayed. After Facebook found the bug, it was another five days before all privacy settings were correctly restored.
https://www.washingtonpost.com/news/the-switch/wp/2018/…
Content Type: Examples
In July 2018, the leader of a private Facebook group for women with the BRCA gene, which is associated with high breast cancer risk, discovered that a Chrome plug-in was allowing marketers to harvest group members' names and other information. The group was concerned that exposure might lead to other privacy violations and discrimination from insurers. The company shut down the extension and closed the loophole. The case is of particular concern because the US Heath Insurance Portability and…
Content Type: Examples
As part of an ongoing hacker vendetta against surveillance apps installed by abusive partners, in July 2018 a hacker targeted SpyHuman, an India-based company that offers software that monitors Android devices, claiming the software should be taken off the market. Once someone gains physical access to a device and installs the software, SpyHuman's app will intercept phone calls and messages, track GPS locations, read social media messages, and even turn on the device's microphone. The collected…
Content Type: Examples
In May 2018, UK-based security researcher Robert Wiggins discovered that the mobile app TeenSafe, marketed as a secure app for iOS and Android, was storing data it collected on servers hosted on Amazon's cloud without a password and openly accessible. The app lets parents monitor their children's text messages, location, browsing history, and apps, as well as who they called and when, and does not require parents to obtain their children's consent. The insecurely stored 10,200 records included…
Content Type: Examples
The US Securities and Exchange Commission announced in April 2018 that it would fine Altaba, formerly known as Yahoo, $35 million for failing to disclose its massive 2014 data breach. Yahoo did not notify the hundreds of millions of customers until the end of 2016, when it was closing its acquisition by Verizon, even though the SEC found that the company knew within days that Russian hackers had stolen their user names, email addresses, phone numbers, birth dates, encrypted passwords, and the…